Acuity CMS 2.6.x Directory Traversal

`1. OVERVIEW  
  
Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal.  
  
  
2. BACKGROUND  
  
Acuity CMS is a powerful but simple, extremely easy to use, low  
priced, easy to deploy content management system. It is a leader in  
its price and feature class.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The issue is due to the script, /admin/file_manager/browse.asp, not  
properly sanitizing user input, specifically directory traversal style  
attacks (e.g., ../../) supplied via the 'path' parameter. It would  
allow the attacker to access arbitrary files outside of web root  
directory.  
  
  
4. VERSIONS AFFECTED  
  
Tested with version 2.6.2.  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../  
  
  
6. SOLUTION  
  
The Acunity CMS is no longer in active development.  
It is recommended to user another CMS in active development and support.  
  
  
7. VENDOR  
  
The Collective  
http://www.thecollective.com.au/  
  
  
8. CREDIT  
  
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-05-20: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal  
  
#yehg [2012-05-20]  
`